automated reasoning model checking with spin ii
play

Automated Reasoning Model Checking with SPIN (II) Alan Bundy - PowerPoint PPT Presentation

Mar 07, 2023 •183 likes •441 views

Automated Reasoning Model Checking with SPIN (II) Alan Bundy Automated Reasoning SPIN (II) page 1 Verifying Global Properties Assertions can be used to verify a property locally locally For example, place assert(MemReturned) at the

  1. Automated Reasoning Model Checking with SPIN (II) Alan Bundy Automated Reasoning SPIN (II) page 1

  2. Verifying Global Properties ● Assertions can be used to verify a property locally locally – For example, place assert(MemReturned) at the end of the process to verify that the requested memory has been returned before the process ends ● Some properties depend on non-local behaviour non-local behaviour of the model – For example, that the system never enters illegal states – or that it eventually enters the desired state ● Assertions alone are not not sufficient for verifying these properties ● A more powerful method is to use “never claims” Automated Reasoning SPIN (II) page 2

  3. Never Claims ● Roughly, never claims are used to specify system behaviour which should never occur ● In Promela, a never claim can be declared by never { ... <Promela code> ... } ● When generating a verifier, Spin creates one (active) process for the never claim declared ● Verifier executes the never-claim process between every execution of other processes ● Verifier reports error if the never-claim process ends Automated Reasoning SPIN (II) page 3

  4. Promela's goto Statement We might need to write loops in never claims. The simplest way is ● to use goto statement label_1: Labels mark locations in ● if the code (Note: a location :: p -> goto label_2 can have more than one label) :: else -> goto label_1 skip means “do nothing” fi; ● (usually needed because code label_2: cannot end with a label) skip goto statements redirect program execution to a labelled location ● in the code. So this code loops through label_1 as long as p is false ● – Where p is the property that is never meant to become true. Automated Reasoning SPIN (II) page 4

  5. Promela's do Loop The do command is another way to write loops in Promela: do do :: p -> break ; :: guard -> statement; :: else -> skip ; :: guard -> statement; od ; od ; ● The guards function as in an if statement: one statement whose guard is true will be executed ● But unlike if statements, the do body repeats ● The do loop ends only if a break statement is reached (or if a goto statement is used) Automated Reasoning SPIN (II) page 5

  6. Fred's Drinks Revisited mtype = { milk, lemonade, water }; bool bought_milk = false, bought_lemonade = false, bought_water = false; int num_drinks = 0; inline buy_item (a_drink, bought_a_drink) { ( item ==a_drink) -> bought_a_drink = true; Note: } num_drinks is proctype perhaps_buy (mtype item ) { now only atomic { incremented bool bought_something = true; when Fred buys if something. :: buy_item(milk, bought_milk); :: buy_item(lemonade, bought_lemonade); :: buy_item(water, bought_water); (This differs :: true -> bought_something = false; from fi; previously) if /* output what Fred bought, if anything */ :: bought_something -> printf("FRED BOUGHT "); num_drinks++; :: else -> printf("FRED DID NOT BUY "); fi; printm(item);printf("\n"); } } Automated Reasoning SPIN (II) page 6

  7. Fred's Drinks Revisited II ● As an example, in Fred's Drinks model, never claims can be used to verify that Fred can never buy more than two kinds of drinks ● Desired behaviour: in all runs, num_drinks≤2 at all times, i.e. in all runs □ (num_drinks≤2) ● Forbidden behaviour: in some run, num_drinks>2 at some time, i.e. in some run  (num_drinks>2) Automated Reasoning SPIN (II) page 7

  8. Fred's Drinks Revisited III ● Never claim for this property can be declared as follows: never { /* <>(num_drinks>2) */ do :: ((num_drinks>2)) -> break; :: else -> skip od } FredsNeverClaim ● do -loop exits and error is flagged whenever num_drinks becomes greater than 2 Automated Reasoning SPIN (II) page 8

  9. Verifying a Never Claim Run spin -a -N <NeverClaimFile> <ModelFile> to generate ● a verifier % spin -a -N FredsNeverClaim FredsDrinks # build a verifier % cc -o pan pan.c # compile the verifier % ./pan -e # run, looking for errors pan: claim violated! (at depth 20) pan: wrote FredsDrinks1.trail % ./pan -r1 # examine the error ... FRED BOUGHT milk ... ... FRED BOUGHT lemonade ... ... FRED BOUGHT water ... 20: proc 0 (:never:) line 71 (state 8) -end- ... As expected, there's an error trail! ● If the condition is changed to num_drinks>3 , the verifier will ● produce no errors Automated Reasoning SPIN (II) page 9

  10. Using LTL with Spin Spin can generate a never claim from the given LTL formula ● automatically Run spin -f '<LTLFormula>' . ● Spin's LTL syntax ● [] always ( □ ) eventually (  ) <> next ( X ) X logical negation ( ¬ ) ! strong until ( U ) U logical and ( ∧ ) && logical or ( ∨ ) || logical implication ( ⇒ ) -> <-> logical equivalence ( ⇔ ) Can use Promela variables or #define d symbols as propositions ● Automated Reasoning SPIN (II) page 10

  11. Using LTL with Spin (cont) Example: ● % spin -f '<>p' never { /* <>p */ T0_init: if :: ((p)) -> goto accept_all :: (1) -> goto T0_init fi; accept_all: skip } Need to add definition for p separately, e.g. ● #define p (num_drinks>2) Automated Reasoning SPIN (II) page 11

  12. The Bank Machine Revisited Model checking is often used to model dynamic systems, such as the bank machine from lecture 9: card cancel - inserted Enter card out Thanks, Welcome PIN Goodbye sufficient funds - wrong correct cash and card out ack problem - Try card out Amount? Sorry again We will represent this in Promela, using labels and goto , and then we will explore more complicated LTL claims. Automated Reasoning SPIN (II) page 12

  13. Bank Machine Promela Model mtype = { S_Welcome, S_Enter_Pin, S_Try_Again, S_Amount, S_Thanks_Goodbye, S_Sorry } Labels correspond mtype state to states in our Bank Machine inline setState(x) { atomic { state = x; ... } automaton. } The description of active proctype BankMachineModel() { current state is s_welcome: setState(S_Welcome); recorded in a global printf("BANK [card inserted]\n"); variable state (for s_enter_pin: setState(S_Enter_Pin); if display). :: true -> { printf("BANK [wrong pin]\n"); goto s_try_again ; } Notice the non- :: true -> { printf("BANK [correct pin]\n"); deterministic goto s_amount ; } choices in if -block :: true -> { printf("BANK [cancel]\n"); goto s_thanks_goodbye ; } fi; s_try_again: setState(S_Try_Again) ; goto s_enter_pin ; s_amount: .... end: skip; BankMachine } Automated Reasoning SPIN (II) page 13

  14. Bank Machine Runs card cancel - % spin BankMachine inserted Enter card out Thanks, Welcome BANK state is: S_Welcome PIN Goodbye BANK [card inserted] BANK state is: S_Enter_Pin sufficient funds - wrong BANK [correct pin] correct cash and card out ack BANK state is: S_Amount BANK [problem] BANK state is: S_Sorry problem - Try card out Amount? Sorry again BankMachine % spin BankMachine promela code BANK state is: S_Welcome BANK [card inserted] BANK state is: S_Enter_Pin BANK [wrong pin] % spin BankMachine BANK state is: S_Try_Again BANK state is: S_Welcome BANK state is: S_Enter_Pin BANK [card inserted] BANK [correct pin] BANK state is: S_Enter_Pin BANK state is: S_Amount BANK [cancel] BANK [sufficient funds] BANK state is: S_Thanks_Goodbye BANK state is: S_Thanks_Goodbye Automated Reasoning SPIN (II) page 14

  15. Verifying Bank Machine ● Desired behaviour: all runs eventually reach S_Thanks_Goodbye or S_Sorry , i.e. all runs satisfies  (state==S_Thanks_Goodbye ∨ state==S_Sorry) ● Forbidden behaviour: some run remains in other states, i.e. some run satisfies □ ( state!=S_Thanks_Goodbye ∧ state!=S_Sorry) ● We cannot tell that a run is forbidden from any (initial) finite portion. (Something unexpected might happen after that!) Welcome, EP, TA, EP, TA,..., EP, Thanks_Goodbye n Automated Reasoning SPIN (II) page 15

  16. Accept Cycles ● Can we write a never claim for this behaviour? Yes, but needs new error detection technique: accept cycles ● Accept labels : labels that begin with accept . e.g. accept , accept 1, accept _all, accept ing , ... ● Verifier flags errors if there is a run containing a cycle which goes through a location with an accept label ● Such a run goes through an accept label infinitely often ● Accept labels are normally used in never-claim blocks Automated Reasoning SPIN (II) page 16

  17. Verifying Bank Machine (II) % spin -a -N BankMachineNever1 Define p and q and run ● BankMachine spin -f '[] ((!p) && (!q))' % cc -o pan pan.c % ./pan -e -a to generate never claim ... #define p state==S_Thanks_Goodbye pan: acceptance cycle (at depth 4) #define q state==S_Sorry pan: wrote BankMachine1.trail never { /* [] (!p && !q) */ ... errors: 1 ... accept_init: T0_init: % ./pan -r1 if ... :: (! ((p)) && ! ((q))) -> BANK state is: S_Welcome ... goto T0_init BANK [card inserted] ... fi; BANK state is: S_Enter_Pin ... } <<<<<START OF CYCLE>>>>> ... BankMachineNever1 BANK [wrong pin] ... Run verifier using pan -e -a to ● BANK state is: S_Try_Again ... detect accept cycles BANK state is: S_Enter_Pin ... Verifier finds a problematic infinite run where ● the wrong pin is entered over and over again! Automated Reasoning SPIN (II) page 17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Automated Reasoning Model Checking with Spin (III) Alan Bundy Automated Reasoning Model

Automated Reasoning Model Checking with Spin (III) Alan Bundy Automated Reasoning Model

Automated Reasoning Model Checking with Spin (III) Alan Bundy Automated Reasoning Model Checking with Spin (III) Lecture 12, page 1 Outline of Verification Process Objective: form one big automata, which Spin can use for verification.

1.01k views • 25 slides
Automated Reasoning Model Checking with SPIN Alan Bundy Automated Reasoning SPIN Lecture 10,

Automated Reasoning Model Checking with SPIN Alan Bundy Automated Reasoning SPIN Lecture 10,

Automated Reasoning Model Checking with SPIN Alan Bundy Automated Reasoning SPIN Lecture 10, page 1 Model Checking in Practice System behaviour: what is possible in our model? We will use the language Promela to specify behaviour

341 views • 18 slides
Automated Reasoning LTL Model Checking Alan Bundy Automated Reasoning LTL Model Checking

Automated Reasoning LTL Model Checking Alan Bundy Automated Reasoning LTL Model Checking

Automated Reasoning LTL Model Checking Alan Bundy Automated Reasoning LTL Model Checking Lecture 9, page 1 Introduction So far we have looked at theorem proving Powerful, especially where good sets of rewrite rules or decision procedures

639 views • 26 slides
Automated Reasoning 6 AI Slides (6e) c Lin Zuoquan@PKU 1998-2020 1 6 6 Automated Reasoning

Automated Reasoning 6 AI Slides (6e) c Lin Zuoquan@PKU 1998-2020 1 6 6 Automated Reasoning

Automated Reasoning 6 AI Slides (6e) c Lin Zuoquan@PKU 1998-2020 1 6 6 Automated Reasoning 6.1 Automated theorem proving 6.2 Forward and backward chaining 6.3 Resolution 6.4 Model checking AI Slides (6e) c Lin Zuoquan@PKU

1.02k views • 97 slides
Automated Reasoning Lecture 3: Tie NuSMV Model Checler Jacques Fleuriot jdf@inf.ed.ac.uk Recap

Automated Reasoning Lecture 3: Tie NuSMV Model Checler Jacques Fleuriot jdf@inf.ed.ac.uk Recap

Automated Reasoning Lecture 3: Tie NuSMV Model Checler Jacques Fleuriot jdf@inf.ed.ac.uk Recap Previously: Model Checking Introduction Linear Temporal Logic Tiis time: An implementation of LTL Model Checking NuSMV NuSMV

442 views • 23 slides
Automated Reasoning: Some Successes and New Challenges Predrag Jani ci c

Automated Reasoning: Some Successes and New Challenges Predrag Jani ci c

What is this talk about? What is automated reasoning? Automated reasoning in propositional logic Automated reasoning in first-order logic Automated reasoning in higher-order logic Automated reasoning in geometry Conclusions Automated

806 views • 52 slides
VTSA10 Summer School, Luxembourg, September 2010 Introduction Probabilistic model checking

VTSA10 Summer School, Luxembourg, September 2010 Introduction Probabilistic model checking

VTSA10 Summer School, Luxembourg, September 2010 Introduction Probabilistic model checking Model checking Automated formal verification for finite-state models Finite-state model System Result Model checker e.g. SMV, Spin Counter-

776 views • 58 slides
Automated Reasoning Course Presentation Summary Automated Reasoning Motivations Course Plan

Automated Reasoning Course Presentation Summary Automated Reasoning Motivations Course Plan

Automated Reasoning Automated Reasoning Course Presentation Summary Automated Reasoning Motivations Course Plan Resources Exam Methods Motivations Automated Reasoning Automated reasoning mechanising the reasoning process. reasoning :

159 views • 14 slides
Lecture 5. Symbolic model checking. NuSMV and SPIN model checkers. User-friendly model checking

Lecture 5. Symbolic model checking. NuSMV and SPIN model checkers. User-friendly model checking

Lecture 5. Symbolic model checking. NuSMV and SPIN model checkers. User-friendly model checking ELEC-E8110 Automation Systems Synthesis and Analysis Igor Buzhinsky igor.buzhinskii@aalto.fi 2018 Igor Buzhinsky Lecture 5 2018 1 / 28 Symbolic

833 views • 61 slides
Verifying Automated Reasoning Results Marijn J.H. Heule http://www.cs.cmu.edu/~mheule/15816-f19/

Verifying Automated Reasoning Results Marijn J.H. Heule http://www.cs.cmu.edu/~mheule/15816-f19/

Verifying Automated Reasoning Results Marijn J.H. Heule http://www.cs.cmu.edu/~mheule/15816-f19/ https://github.com/marijnheule/proof-demo Automated Reasoning and Satisfiability, October 10, 2019 1 / 53 Outline Introduction Proof Checking

825 views • 80 slides
Modeling and Analyzing Concurrent Systems using Model Checking Robert B. France 1 What is

Modeling and Analyzing Concurrent Systems using Model Checking Robert B. France 1 What is

Modeling and Analyzing Concurrent Systems using Model Checking Robert B. France 1 What is Model Checking? Model checking is an automated technique that, given a finite-state model of a system and a logical property , systematically

484 views • 36 slides
Automated Reasoning for System Security and Privacy Laura Kovcs Chalmers Automated Reasoning

Automated Reasoning for System Security and Privacy Laura Kovcs Chalmers Automated Reasoning

Chalmers Automated Reasoning for System Security and Privacy Laura Kovcs Chalmers Automated Reasoning for Rigorous Systems Engineering In a vague sense, automated reasoning involves: 1. Representing a problem as a mathematical/logical

696 views • 53 slides
Automated Reasoning Introduction Jacques Fleuriot Automated Reasoning Introduction Lecture 1,

Automated Reasoning Introduction Jacques Fleuriot Automated Reasoning Introduction Lecture 1,

Automated Reasoning Introduction Jacques Fleuriot Automated Reasoning Introduction Lecture 1, page 1 What is it to Reason? Informally, reasoning is: to seek or attain knowledge or truth or the process of drawing conclusions with

876 views • 18 slides
Automated Reasoning 1 Automated Reasoning John Harrison Univ ersit y of Cam bridge

Automated Reasoning 1 Automated Reasoning John Harrison Univ ersit y of Cam bridge

Automated Reasoning 1 Automated Reasoning John Harrison Univ ersit y of Cam bridge What is automated reasoning? Automatic vs. in teractiv e. Successes of the AI and logic approac hes Dev elopmen t of

523 views • 23 slides
Automated Reasoning (what this course is about) AUTOMATED REASONING machine does 'thinking'

Automated Reasoning (what this course is about) AUTOMATED REASONING machine does 'thinking'

0ai Automated Reasoning (what this course is about) AUTOMATED REASONING machine does 'thinking' machine does book-keeping, Krysia Broda user does nothing user does 'thinking'. Room 378 Concerned with GENERAL DEDUCTION - applicable in many

390 views • 5 slides
8/8/2007 Model Checking Motivation More and more complex systems Increased dependability

8/8/2007 Model Checking Motivation More and more complex systems Increased dependability

8/8/2007 Model Checking Motivation More and more complex systems Increased dependability : everything important Demonstration Of depends on computers SPIN SPIN Increased functionality : security, mobility Testing is becoming

202 views • 3 slides
New Banks seminar New Bank Start-up Unit 19 th February 2018 NBSU Seminar NBSU Seminar Welcome

New Banks seminar New Bank Start-up Unit 19 th February 2018 NBSU Seminar NBSU Seminar Welcome

New Banks seminar New Bank Start-up Unit 19 th February 2018 NBSU Seminar NBSU Seminar Welcome and opening remarks Martin Stewart Director, Banks, Building Societies and Credit Unions, PRA 2 New Bank Seminar Agenda Timing Session

1.29k views • 109 slides
Finance I Introduction to Corporate Finance 1 Corporate Finance and the Financial Manager What

Finance I Introduction to Corporate Finance 1 Corporate Finance and the Financial Manager What

Finance I Introduction to Corporate Finance 1 Corporate Finance and the Financial Manager What is Corporate Finance? Corporate finance is concerned about three main problems: 1. Planning and managing long-term investments (Capital Budgeting).

796 views • 5 slides
Citi Financial Services Colleen Johnston Conference Group Head Finance &amp; CFO TD Bank

Citi Financial Services Colleen Johnston Conference Group Head Finance &amp; CFO TD Bank

Citi Financial Services Colleen Johnston Conference Group Head Finance &amp; CFO TD Bank Financial Group January 2 8 , 2 0 0 9 Caution regarding Caution regarding forward-looking statements forward-looking statements From time to time, the

688 views • 19 slides
Draft report on the calibration of the leverage ratio under Article 511(3) CRR London 15

Draft report on the calibration of the leverage ratio under Article 511(3) CRR London 15

Draft report on the calibration of the leverage ratio under Article 511(3) CRR London 15 April 2016 Disclaimer The purpose of this presentation is to inform on the state of play of the report on the calibration the leverage ratio, which the

481 views • 20 slides
Danske Bank - Launch of the first mobile bank app in Claus Hjort Bjerre Development Director

Danske Bank - Launch of the first mobile bank app in Claus Hjort Bjerre Development Director

Danske Bank - Launch of the first mobile bank app in Claus Hjort Bjerre Development Director Danske Bank, Group IT, Channels 12-05-2011 IT in Danske Bank Leading digital functionality for our private and corporate 10 million transactions

352 views • 20 slides
Information security risk assessments Lecture #3 Security in Organizations 2011 Eric Verheul

Information security risk assessments Lecture #3 Security in Organizations 2011 Eric Verheul

Information security risk assessments Lecture #3 Security in Organizations 2011 Eric Verheul 1 Literature Main literature for this lecture: 1. The ISO 27005 standard The NIST Special Publication 800- 30: Risk management 2. Guide for

929 views • 55 slides
GUARANTEE GIVING OF A GUARANTEE MEANS: ENTERING INTO A CONTRACT TO PERFORM THE PROMISE OF

GUARANTEE GIVING OF A GUARANTEE MEANS: ENTERING INTO A CONTRACT TO PERFORM THE PROMISE OF

Chapter No. Page No. 9 201 International Finance IMPORT / EXPORT GUARANTEES GUARANTEE GIVING OF A GUARANTEE MEANS: ENTERING INTO A CONTRACT TO PERFORM THE PROMISE OF DISCHARGE THE LIABILITY OF THIRD PERSON IN CASE OF HIS DEFAULT.

463 views • 13 slides
SPOT RATE THE NORMAL RATE QUOTED IN THE FOREIGN EXCHANGE MARKET IS THE SPOT RATE. THIS

SPOT RATE THE NORMAL RATE QUOTED IN THE FOREIGN EXCHANGE MARKET IS THE SPOT RATE. THIS

Chapter No. Page No. 20 350 International Finance COMMERCIAL RATES OF EXCHANGE SPOT RATE THE NORMAL RATE QUOTED IN THE FOREIGN EXCHANGE MARKET IS THE SPOT RATE. THIS RATE IS QUOTED FOR TRANSACTIONS WHERE THE FOREIGN CURRENCY

436 views • 12 slides

More recommend